Hacker News new | past | comments | ask | show | jobs | submit login

You just had your servers hacked into and all your database are belong to them. The black hats demand X number of BitCoins as ransom, but you cannot pay because it violates certain laws. So you hire an intermediary who pays for you, thereby avoiding the legal problem.

https://www.theverge.com/2020/8/4/21353842/garmin-ransomware...




You want to kill someone but you can’t because that’s like totally illegal so you just hire a hitman and now it’s just a business expense.


It's not really the same. Killing someone is illegal, regardless of who is doing it.

For the TSA it is illegal to collect the information, but apparently it is not illegal for the outsourced companies.

Also, in Garmin's case it was not illegal for Arete IR to offer the service of ransomware negotiation.


The killing example still bites you because the intent to kill, knowing & abetting, etc still matters, regardless of method to do so. It's not just the murder, but also everything around the murder that gets swept into it.

It seems to me data collection is illegal, so TSA doesnt do it directly -- the problem is that TSA intends to collect, and knowingly (and provably?) works around it, but is not being punished for it.


This is not really true. The TSA does not intend to collect, but to obtain an "ok person", "not-ok person" stamp. Then they decide with the info they gathered in the conversation with the person in question. They are not obtaining the data and have no intention of doing so. Yet a stamp like "criminal activity in the past" would be a questionable one. I don't know how they stamp the person.

Nevertheless I think they are doing a bad thing, because you can rest assured that this collected data won't get deleted, possibly even sold to 3rd parties.


This also seems like it pretty unambiguously still breaks the law. Has it been tested in court yet?

I wonder if it's kind of a "it's small fry, and these businesses are getting their data back, we'll turn our backs to it unless it's actual violent terrorists receiving ransom money" sort of thing.


Haven't touched it at all, but I strongly suspect that the hired corporation is treated like a blackbox.

Middleman: OK, hand us the encrypted data and 125% of whatever the ransomeware is asking.

Middleman: Outcome A: Here's your data back. Outcome B: We were unable to get your data back, here's your full refund.


Isn't that willful ignorance, and therefore on shaky ground legally.


You do have to prove intent of willful ignorance beyond a reasonable doubt though, which is easier said than done.

It takes legwork to establish intent, which is why justice is never carried out very quickly.


> Has it been tested in court yet?

No.

> I wonder if it's kind of a "it's small fry, and these businesses are getting their data back, we'll turn our backs to it unless it's actual violent terrorists receiving ransom money" sort of thing.

1. It's difficult to believe that organized crime isn't involved in at least some ransomware schemes.

2. Is it illegal to pay protection money?


Strange, this is kinda what Huawei is being accused of in Iran. They used a proxy company to do business with a sanctioned country. Although Huawei seemed to directly control the company management, whereas Arete IR is technically an independent company hired as a contractor.

Still it's a pretty weak loophole bypass.


Super common for everything happening with Iran/Sudan/N. Korea. Shell companies inside of shell companies. Demands & markets don't stop just cuz of sanctions...


You want to pay off a porn star you had an affair with but you're running for president. https://en.wikipedia.org/wiki/Stormy_Daniels%E2%80%93Donald_... so you give your a lawyer a retainer and they make the transaction.


>you cannot pay because it violates certain laws

What laws would it violate?


Funding criminals


> "You just had your servers hacked into and all your database are belong to them."

I see what you did there. Well played.


I was wondering if the meme was too old for most people to recognize.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: